Popular Cyber Attacks and Due Care for Reasonable Security.  As children, we enjoyed reading the many fairytales that began with, “Once upon a time.”  As adults in the workplace, we regrettably read the stories of so many recent cyber attacks that start with, “Someone opened a phishing email.”

That is because 91% of all cyberattacks start with some type of phishing email that is so alluring and convincing to someone, that someone clicks its maliciously embedded hyperlink or attachment, and well, the rest is history.  Attackers do not need to attack the vigorously defended perimeter created by your organization’s robust firewall.  Just like the maginot line of the French that the German army so easily outflanked in World War II, today’s cyber criminals can break in unabated into your seemingly impenetrable network by targeting the weakest security links of your organization – your employees.  It is crucial for you and your team to be aware and how to respond. Below is a short guide outlining the most common types of attacks today and how to identify and combat these cyber security threats.

Social Engineering

Social engineering is a term popularized by Kevin Mitnick, a reformed cybercriminal and one of the most famous computer hackers of all time.  Mitnick, like so many cybercriminals learned that it is much easier to manipulate a user into offering their password to you than it is to hack them to find it.  A social engineering perpetrator is nothing more than a con artist is.  The goal is to obtain confidential information from a user that can then be used to implement a future theft or attack.  Social engineering attacks are derived around a compelling story such as

  • An incredible deal that is expiring
  • You have an overdue payment
  • An urgent financial transaction needs your confirmation
  • Your computer has been compromised by malware or hacker

The key to thwarting any type of social engineering attack is to slow downSocial engineering attacks depend on rushing the intended victim so they do not have time to second guess the situation at hand.  There should also be an attempt to authenticate the authoritative person making the request.

Phishing

Anyone who has an email address is fully aware of this type of social engineering attack According to the Verizon 20018 Data Breach Investigation Report, 78 percent of users within an organization did not click a single embedded link within an email in 2017.  Unfortunately, that leaves 22 percent who did, with four percent clicking on just about anything that came in an email.  Phishing is a numbers game.  A million phishing emails are cast out concerning “your package delivery by UPS”.  Out of that million, only a small percentage will breach email filtering systems.  Of the ones that make it, only a small percentage of recipients will be expecting a package from that shipping company, and of that group, we know that at least four percent will click the link.

Every organization requires some sort of third party email security system, even those who utilize public cloud email systems such as Office 365.  Users must also undergo security awareness training to teach them how to be skeptical and identify suspicious emails that should be further scrutinized by IT.

Vishing

This form of cyber attack seems dated today in a digitally connected world, but is still highly effective.  Like phishing, vishing is a numbers game, with millions of automated prerecorded messages being sent to phones lines in order to case a wide net.  Referred to as “dialing for dollars,” the typical message outlines some urgent matter and the victim is instructed to either press a number on their phone to be transferred to a representative or call back on a given number.  Once the victim initiates contact with the representative, they are in the final crosshairs of the scammers.

Always be cynical of automated messages that convey urgency.  Rather than be transferred to a representative or obediently call the number provided, authenticate the source by looking up the phone number of the organization using a respected search engine and call to verify.

Smishing

Though relatively new on the scene, cybercriminals are realizing the potential of using SMS messaging communication, (texting) for their schemes.  That is because nearly a trillion text messages are sent every hour across the globe and 90 percent of them are read within three minutes of receiptSince the success of social media attacks rely on the notion of urgency and immediacy, this makes it a perfect medium, which is why its use is growing.

While text messaging is often used for multi-authentication purposes, these simply use text as a means to deliver a PIN that is then inputted into another source.  It is relatively good advice to never click a hyperlink delivered by text and never call an unknown phone number.

BEC Attacks

Also referred to as whale attacks, Business Email Compromise (BEC) attacks are centered around the idea of impersonating a well a C-Level executive of a targeted organization.  The scam involves a fraudulent email from the high level executive to someon within the organization requesting a wire transfer , tax documents or employee records.  While phishing attacks are implemented to achieve multiple obectives such as delivering ransomware, steal passwords or download malware to name a few, BEC attacks are all about the money, a lot of money.  According to the FBI last year, the practice of BEC attacks is now a $5 billion business The financial losses inflicted on an organization from a single attack can be huge.  In 2016, the Mattel Corporation was a victim of an elaborate whaling scheme in which an attacker spoofed the email of the new CEO on his first day of work.  An email was sent to a finance executive instructing him to send a wire transfer to a Chinese bank account for a new vendor.  The wire transfer was for $3 million.  Fortunately, the money was later recovered.

Unlike phishing attacks, BEC attacks are specifically targeted and well planned out.  Once the attackers infiltrate the email system, they will observe and study the email culture of the organization for months.  The attack is then initiated to coincide when a top executive is on vacation or is new on the job.  BEC attacks are often immune from standard spam filtering solutions but there are a number of ways to combat them.

  • Implement a protocol in which all financial wire requests must be verified verbally over the phone. Some organizations require the confirmation of a secret word or phrase at the start of the call.
  • In order to prevent a spoofing attack, have users hit the forwarding email button rather than the reply button. Doing so will allow them to confirm the exact email address of the person requesting money or confidential materials.
  • Rather than simply hitting the reply button to respond to requests, have the users create a new email with the confirmed email address of the requester.
  • Caution C-Level executives from posting personal information such as vacations or information that could be used to answer multi-authentication security questions for a password reset.

Organizations have a duty to their employees and customers to protect their data. Continually evaluating IT safeguards, security awareness, compliance, and business objectives should be prioritized and balanced.

Consider a Continuous Penetration Testing program or Pen Testing as a Service (PTaaS) to assess your safeguards throughout the year for a proactive security approach.

Enhance your security strategy to address your changing working environment and risk profile due to COVID-19. HALOCK is a trusted cyber security consulting firm and penetration testing company headquartered in Schaumburg, IL in the Chicago area servicing clients throughout the United States on reasonable security strategies.
 

Are you prepared for a cyber security incident? Assess your incident response readiness. We can help if you have a security incident to help minimize the impact.

Incident Response Hotline: 800-925-0559